At Nord Security, we strive to maximize the security of our infrastructure and customers' data. We believe that in order to reach our goal community participation is essential. Please note that your submission of potential security vulnerability finding (“Vulnerability Finding”) is voluntary and subject to the terms and conditions set forth in this Policy. By submitting a vulnerability to us you acknowledge that you have read and agreed to this Policy.

Program Rules

Our main rules are as follows:

---

• Automated testing is not permitted.
• Follow HackerOne’s Disclosure Guidelines.
• You must be the first person to notify us of a finding that alerts us to a previously unknown issue and that issue triggers a code or configuration change. If different attack vectors result in the same mitigation, Nord Security reserves the right to reward only the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been fully remediated.
• We award bounties once the vulnerability is fixed, and will keep you posted as we work to resolve them.
• We reserve the sole right to determine the size of the reward if any. We determine this on a case-by-case basis, depending on overall severity (including the business impact, creativity of the issue, etc.). You shall respect our final decision.
• We may pay even higher rewards for, especially clever or severe vulnerabilities. We recommend for you to use Common Vulnerability Scoring System Version 3.0 Calculator as a general guide on vulnerability severity levels. However, please note that this serves only as a rough guide and does NOT guarantee that we will give the same evaluation to your Vulnerability Finding. The final and actual severity level is determined by us in our sole discretion.
• To receive a reward, you must disclose the vulnerability report directly and exclusively to us.
• Previous reward amounts are not considered a precedent for future reward amounts.
• Reward may be denied if there is reason to believe that there has been a violation of this Policy.
• You may need to provide additional information, which would be necessary to receive the reward.
• Taxes on rewards given to you are your sole responsibility.
• Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you are notified of the determined reward amount
• Contacting our team regarding the status of a report through any other channel than Hackerone will result in an immediate disqualification for a bounty for that report.
• Please recognize that Nord Security operates complex infrastructure and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the report has been passed to the internal security team. Nord Security cannot provide updates on remediation efforts that are in progress.

Reports related to third-party or open-source dependencies are out of scope unless all of the following apply:

• The vulnerability affects our product/infrastructure
• The impact is caused by our implementation, configuration, or failure to update
• The report includes clear, reproducible evidence of exploitability in our product
• The report does not rely solely on:
  • an upstream CVE or security advisory
  • a blog post or public proof-of-concept
  • automated dependency scan output
  • dependency version enumeration

For vulnerabilities that have already been fixed upstream:

• Reports must demonstrate exploitability in our product
• Reports based only on using a vulnerable dependency version are not eligible
• Simply noting that an upstream fix exists but has not yet been adopted is insufficient

For vulnerabilities in third-party or open-source dependencies where a fix has been publicly available upstream for 30 days or more, reports may be considered on a case-by-case basis. Eligibility and bounty decisions will depend on factors such as:

• demonstrated exploitability in our product
• severity and real-world impact
• ease of exploitation and likelihood of abuse
• whether the issue represents a meaningful security risk to users

The existence of an upstream fix alone, or the passage of time since its release, does not guarantee eligibility for a bounty.

This Policy supplements the terms of any other agreement (collectively – “Agreements”) in which you have entered with us. If any inconsistency exists between the terms of the Agreements and this Policy, this Policy will prevail, but only with regard to the potential security vulnerability reporting, unless otherwise agreed by us in writing.

#Public Disclosure

---

Nord Security follows HackerOne’s Coordinated Vulnerability Disclosure guidelines.

• Researchers must comply with HackerOne’s Disclosure Guidelines at all times.
• Any public disclosure requires prior approval from Nord Security.
• Submission of a disclosure request does not guarantee approval.

Nord Security reserves full discretion to:

• approve or decline disclosure requests,
• determine the timing of any approved disclosure,
• limit the level of technical detail disclosed.

These rules apply to all reports, including valid, invalid, duplicate, informational, and out-of-scope findings, regardless of reward eligibility.

Scope of Accepted Reports

---

Accepted, in-scope findings, include, but are not limited to:

1. NordVPN, NordPass and NordLocker consumer applications on all platforms:
   • Windows
   • Mac
   • iOS
   • Android
   • Linux
   • Browser extensions and official apps on third-party devices.
2. Nord Security VPN servers.
3. Nord Security backend services and website.

Out-Of-Scope Reports (not eligible for a reward)

---

1. Findings from physical testing such as office access (e.g. open doors, tailgating).
2. Denial of service (DOS) attacks.
3. Unofficial third-party applications, scripts, and integrations.
4. End-of-life application versions.
5. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
6. Any other submissions determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact.
7. WordPress bugs (please report those to WordPress directly).
8. OpenVPN bugs (please report those to OpenVPN directly).
9. StrongSwan bugs (please report those to StrongSwan directly).
10. Out of date software – we do not always run the most recent software versions (patched).
11. Subdomains, including but not limited to:
    • affiliates.nordvpn.com
    • go.nordvpn.com
    • zendesk.nordvpn.com
    • prevention.nordvpn.com
    • 595468.nordvpn.com
    • c.nordvpn.com
    • bounces.nordvpn.com
    • links*.nordvpn.com
    • mltrack.nordvpn.com
    • mltracksgrd.nordvpn.com
    • support.nordvpn.com
    • nordaccount.com
    • nordcheckout.com
    • nordsecurity.com
    • sailysupport.zendesk.com
12. Anything related to credential stuffing and account takeover.
13. Brute force testing, Cloudflare bypass to determine whether rate limiting is in place for particular APIs or pieces of functionality (unless it constitutes a significant risk)
14. User account verification/enumeration attacks
15. User account deletion process
16. Findings derived from social engineering (e.g. phishing, vishing, spam) techniques, including:
    • SPF and DKIM issues
    • Content injection
    • Hyperlink injection in emails
    • IDN homograph attacks
    • RTL Ambiguity
17. Content Spoofing
18. Issues related to Password Policy
19. Missing best practices, information disclosures, use of known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)
20. HTTP TRACE or OPTIONS methods enabled
21. Self-XSS and issues exploitable only through Self-XSS
22. Exploits that require physical access to a user's machine
23. Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags
24. Bugs that do not represent any security risk
25. Submissions from former NordVPN employees within one year of their departure from NordVPN
26. Issues found through automated testing
27. "Scanner output" or scanner-generated reports
28. SSL or ssh issues (weak ciphers/key-size/BEAST/CRIME)
29. CSRF without proof of security impact
30. Application or server error messages, stack traces
31. Hardcoded Firebase API keys in applications (unless it constitutes a significant risk)
32. Attacks using the IP Rotate method
33. All reports related to NordLayer services and infrastructure.
34. Antimalware detections bypass or undetected malware samples
35. OpenVPN Configuration files (they are intended to be public)
36. Feature bypasses are acceptable unless they pose a security risk to other users, the product, or the service; simply accessing, abusing, or bypassing premium features is not sufficient.
37. Any attacks on our applications that require the use of a rooted or jailbroken device.